CVE-2025-66478: RCE in React Server Components
Bulletin ID: AWS-2025-030
Scope:
AWS
Content Type:
Important (requires attention)
Publication Date: 2025/12/03 19:45 PM PDT
Description:
AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution (RCE) on affected applications servers.
AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182.
Customers using managed AWS services are not affected, and no action is required. Customers running an affected version of React or Next.js in their own environments should update to the latest patched versions immediately:
- Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1
- Customers using Next.js 15-16 with App Router should update to a patched version
The default version (1.24) of the AWS WAF "AWSManagedRulesKnownBadInputsRuleSet" now includes the updated rule for this issue. As an interim protection measure, customers can deploy a custom AWS WAF rule to help detect and prevent exploitation attempts where applicable. See "Adding a custom AWS WAF rule" below.
AWS is actively monitoring for updates on this issue. If you need additional details or assistance, please open an AWS Support case.
Adding a custom AWS WAF (Web Application Firewall) rule
To add defense-in-depth against this issue, you can deploy a custom AWS WAF rule. The following AWS WAF rule is currently set to BLOCK. We recommend testing this custom rule to ensure it does not cause disruptions in your environment.
{
"Name": "ReactJSRCE_CUSTOM",
"Priority": 99,
"Statement": {
"AndStatement": {
"Statements": [
{
"RegexMatchStatement": {
"RegexString": "POST",
"FieldToMatch": {
"Method": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "(?i)(?:next-action|rsc-action-id)",
"FieldToMatch": {
"Headers": {
"MatchPattern": {
"All": {}
},
"MatchScope": "KEY",
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "(?i)\"status\"\\s*:\\s*\"resolved_model\"",
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "URL_DECODE_UNI"
},
{
"Priority": 1,
"Type": "JS_DECODE"
},
{
"Priority": 2,
"Type": "UTF8_TO_UNICODE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "\\$\\@",
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "URL_DECODE_UNI"
},
{
"Priority": 1,
"Type": "JS_DECODE"
},
{
"Priority": 2,
"Type": "UTF8_TO_UNICODE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"RuleLabels": [
{
"Name": "ReactJSRCE_Custom"
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "ReactJS_Custom"
}
}
Please email aws-security@amazon.com with any security questions or concerns.